Open source and malware assessment

Overview

An analytic engagement that examines your Git repositories to identify Open Source libraries used, their maintenance status, any known malware in dependencies, who your developers are and the current technology landscape. We help you gain visibility into your code and developer behaviours to allow questions to be answered and identify common patterns.

Every organisation has its way of developing software and applications aligned with its business objectives and culture across many different code repositories and providers, which is why the ability to query your code and library maintenance status is essential.

The key questions that are answered in this assessment are:

  • What Open Source libraries are we using in development?

  • Are there any known Open Source malware libraries in our repositories?

  • Who are our developers and how many are active?

  • What languages and technologies do we work with?

  • What is our organisation's technology landscape (I.e. languages, libraries)?

Effort and Scope

An assessment starts at 10 days effort, based on a sample size of up to 750 Git repositories.

Target Audience

  • Security teams

  • Engineering managers, DevOps and DevSecOps teams

  • Audit and compliance

Key Features and Benefits

  • Identify your developers, the current languages they are using, and the technology landscape

  • Understand whether Open Source libraries are up-to-date or within upgrade tolerance

  • Identify known malware in Open Source libraries, requiring immediate investigation

  • Identify developers and their technology usage as well as which repositories they worked in

Common Use Cases

Identify Open Source libraries in use

Do you know all the Open Source libraries your developers are using? Many don’t, and can’t easily get answers to this question. By performing this assessment, you will gain a snapshot of the current

state of libraries, their versions and how many versions are behind the latest to understand potential upgrade challenges and areas needing maintenance.

Identify repositories with higher Open Source maintenance requirements

Our experience shows that many teams don’t update their Open Source libraries, making it harder to upgrade as time goes on and are more likely to have security vulnerabilities.

By detecting the number of versions behind and last update of the package itself, we can identify maintenance hotspots.

Identify known malware in open source libraries

Open Source libraries are increasingly being targeted for malware. The malware assessment builds upon the Open Source inventory built during this assessment and then queries for known malware, and provides information about which repositories are affected as well as the developers working on that code base.

Identifying the number of developers and the technology landscape

For many organisations, some fundamental questions can be elusive to answer. Such as

  • Who is a developer?

  • Who has developed code in a given timeframe (e.g. the last 90 days)?

  • What languages and technologies are used by developers, a repository or an organisation?

  • How many developers do we have so I can budget for licenses?

  • Which code bases look stale?

  • What potential security test automation capabilities or requirements do we need

Generate automated training lists for compliance and capability development.

Some organisations require developers to undergo security training annually for their languages. We can identify the developers and the languages and technologies they’ve worked with by simply looking at code changes over the last year.

Identify operational risk from the changes to code bases in your organisation

There are many maintenance and operational capability challenges around code bases that can be

answered such as:

  • Has this code base been updated or developed recently?

  • What repositories have changed in a period of time?

  • Does the last person to change this code still work here?

  • Who knows how to maintain this critical code base?

Our Approach

  • Run an initial discovery session with key stakeholders (e.g. security, platform, DevOps, Development) to identify key questions or metrics to be answered or identified

  • Define use cases for the engagement

  • Identify in-scope Git providers and repositories for analysis

  • Determine data location requirements (e.g. On-premise or SaaS data sources)

  • Determine where the analytics tools for this engagement will be deployed

  • Examine code repositories to identify the technology landscape (e.g. languages, frameworks, build tools, deployment environments)

  • Perform analysis on code repositories aligned with use cases

  • Run through results with stakeholders

Outcomes

  • A written report and presentation of findings and recommendations

  • A summary of who your developers are and what languages and technologies they use

  • An inventory of Open Source libraries and their maintenance status

  • Summary of the adjunct development technologies and tools used

  • Identify improvements for security test automation

  • Identify follow-on engagements to help accelerate the adoption of recommendations and ongoing analytics capabilities.

Contact us to discuss your requirements and challenges.